agenttesla | 5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30

Analysis

max time kernel
120s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Size

821KB
MD5

7c36f1554bb662abddb2fafb5db3037d
SHA1

4d2b146919805242a1699139d2937bae4fddfd4b
SHA256

5f93d1ba8286162e4e7ebe907745b186d2301534fd8b39a84f129f3857f16c30
SHA512

caa4b4b05fdd1a5b68979ed0c2388c727dd3d89d34a2351e7e392e1dd1764a87a0af1106e7beaa65a287cd625088daeb9ccfcad4fed8ca39b273fa7142c53665
SSDEEP

24576:PBKn35eX+HnjaKB2LJKI923eTuOmvzzx428hYTGu:EpjHnj3B2VKI92uuOmrOSTGu

Score

10^/10

agenttesla redline xworm foz collection discovery execution infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

212.162.149.53:7071

Mutex

9GNxvcpH1EHQrLdj

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

redline

Botnet

FOZ

212.162.149.53:36014

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019480-30.dat	family_xworm
behavioral1/memory/1892-42-0x0000000000950000-0x0000000000960000-memory.dmp	family_xworm
behavioral1/memory/2272-66-0x0000000000210000-0x0000000000220000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019489-36.dat	family_redline
behavioral1/memory/2752-41-0x0000000000210000-0x0000000000262000-memory.dmp	family_redline
behavioral1/memory/1892-48-0x0000000002090000-0x00000000020E2000-memory.dmp	family_redline
behavioral1/memory/1892-49-0x000000001A7F0000-0x000000001A842000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3068	powershell.exe
2024	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	apihost.exe

Executes dropped EXE 3 IoCs

pid	Process
1892	XClient.exe
2752	build.exe
2272	apihost.exe

Loads dropped DLL 2 IoCs

pid	Process
2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	apihost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	checkip.dyndns.org
17	api.ipify.org
18	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
1972	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1892	XClient.exe
2272	apihost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
3068	powershell.exe
1892	XClient.exe
2752	build.exe
1892	XClient.exe
2024	powershell.exe
1892	XClient.exe
1892	XClient.exe
1892	XClient.exe
1892	XClient.exe
2272	apihost.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1892	XClient.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1892	XClient.exe
Token: SeDebugPrivilege	2752	build.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2272	apihost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1892	XClient.exe
1892	XClient.exe
1892	XClient.exe
1892	XClient.exe
2272	apihost.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3068	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	30
PID 2132 wrote to memory of 3068	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	30
PID 2132 wrote to memory of 3068	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	30
PID 2132 wrote to memory of 3068	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	30
PID 2132 wrote to memory of 2776	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	31
PID 2132 wrote to memory of 2776	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	31
PID 2132 wrote to memory of 2776	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	31
PID 2132 wrote to memory of 2776	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	31
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2132 wrote to memory of 2940	2132	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	34
PID 2940 wrote to memory of 1892	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	35
PID 2940 wrote to memory of 1892	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	35
PID 2940 wrote to memory of 1892	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	35
PID 2940 wrote to memory of 1892	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	35
PID 2940 wrote to memory of 2752	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	36
PID 2940 wrote to memory of 2752	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	36
PID 2940 wrote to memory of 2752	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	36
PID 2940 wrote to memory of 2752	2940	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	36
PID 1892 wrote to memory of 1972	1892	XClient.exe	38
PID 1892 wrote to memory of 1972	1892	XClient.exe	38
PID 1892 wrote to memory of 1972	1892	XClient.exe	38
PID 1892 wrote to memory of 2024	1892	XClient.exe	39
PID 1892 wrote to memory of 2024	1892	XClient.exe	39
PID 1892 wrote to memory of 2024	1892	XClient.exe	39
PID 1892 wrote to memory of 2272	1892	XClient.exe	42
PID 1892 wrote to memory of 2272	1892	XClient.exe	42
PID 1892 wrote to memory of 2272	1892	XClient.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	XClient.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YkxAHNcqEmoeLS.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkxAHNcqEmoeLS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD45F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe
  "C:\Users\Admin\AppData\Local\Temp\Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:1892
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 08:07 /du 23:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
      "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD45F.tmp

Filesize
1KB

MD5
e3df24f15a34872fc1b40c9d615d729d

SHA1
3bcbec95ed5385bd302eba60a2a3997bcfa4d9ae

SHA256
12ee70755fdc103812c4f49744d2836845bed87a58d78ec13effd5161bbe67ff

SHA512
eeddba068d4845e8d34bf1cd66da4489e50974bac399ab33aebc38faad6c4c06c27606dabf449020ca124235f429a4b08e54170e4abccf4dd7357fb8227c7af9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XTDELP1I1U8LMSAAEU9K.temp

Filesize
7KB

MD5
adf79029ff5b1f79f1650a245dbf2098

SHA1
e1f5ec25fbc3d737dca433b56871506885de39ac

SHA256
a5a77f9db3353108499de3bbb4d23ecf020e5f8bbbda89a48ac9fbfe6313f646

SHA512
3beec93ec83a736e67409f230cf3636cf4976484d0b4e63cefd033b6bf494c92851943721623b80c0beaaad814ad083ac820ac9d589b2ba6432842c98a312718

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
692B

MD5
983b6a2338d170d0350ccdd9812fb5b7

SHA1
a043917ae26411379b8f5e8ed57d930e630ab04b

SHA256
12702c7b80ba7a92e36a440809d0b15c20b2f9ff4d1d4e005ad1fcc3449502c9

SHA512
cffb02b459ed09051d3a0d78b6fd55f2d7451305696eb82640cfd58a34b6c37ce55385ee72fc17ed7a298f132bd57fe4670edd63c759aff8895873341f1fff03

Download Submit
\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
40KB

MD5
1c5cf825e29b63a62c3c8b1589d51a1e

SHA1
ea4f1dceeeea35b6bd17f4040511bbd0341246a8

SHA256
d868406f1fdc6a5c15a70f03f6279fb8a3fe190ea5a4911bf6839fc483c753b0

SHA512
c780aff70b930ea221ffd96081c02116f76d2c7b20590fff6ab04038e2aef50ad57eb8f28a67c4dfdb6a00e3fe393e1238d448c3f346585242ee18d180203fd2

Download Submit
\Users\Admin\AppData\Local\Temp\build.exe

Filesize
300KB

MD5
1ed2ecae05aaa1c505136f5252287cc7

SHA1
2c73c09437c4c1d5e90013a6ca7a65ac0a5fadc5

SHA256
d771f70ba342e5d4cd7f129a4a2b4a6c6c7293233135f266db33f356986a70f9

SHA512
ca82139310ea62ec8703f6fcb19d843644a5ce40323e8f7857c9fd3173bb0796eb20f9002209b9fcbfa7ce9858fe3b932e070f8449bc2736b6712d39515d9219

Download Submit
memory/1892-58-0x000000001A5C0000-0x000000001A604000-memory.dmp

Filesize
272KB

Download
memory/1892-50-0x0000000002100000-0x0000000002118000-memory.dmp

Filesize
96KB

Download
memory/1892-49-0x000000001A7F0000-0x000000001A842000-memory.dmp

Filesize
328KB

Download
memory/1892-48-0x0000000002090000-0x00000000020E2000-memory.dmp

Filesize
328KB

Download
memory/1892-47-0x0000000000920000-0x000000000093E000-memory.dmp

Filesize
120KB

Download
memory/1892-42-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/1892-59-0x000000001A730000-0x000000001A774000-memory.dmp

Filesize
272KB

Download
memory/2024-57-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2024-56-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2132-27-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-6-0x0000000005270000-0x0000000005312000-memory.dmp

Filesize
648KB

Download
memory/2132-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000001190000-0x0000000001264000-memory.dmp

Filesize
848KB

Download
memory/2132-2-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-3-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/2132-4-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/2132-5-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-66-0x0000000000210000-0x0000000000220000-memory.dmp

Filesize
64KB

Download
memory/2752-41-0x0000000000210000-0x0000000000262000-memory.dmp

Filesize
328KB

Download
memory/2940-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2940-22-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2940-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2940-21-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2940-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2940-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2940-18-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2940-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download